The UI daemon in Apache Storm 0.10.0 prior to 0.10.0-beta1 allows remote malicious users to execute arbitrary code via unspecified vectors.
apache storm 0.10.0